Attivo
Integration version: 2.0
Configure Attivo integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| API Root | String | https:/{{ip address}} | Yes | API root of the Attivo instance. |
| Username | String | N/A | Yes | Attivo API Username. |
| Password | Password | N/A | Yes | Attivo API Password. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verifies that the SSL certificate for the connection to the Attivo server is valid. |
Actions
Ping
Description
Test connectivity to Attivo with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | If successful: Successfully connected to the Attivo server with the provided connection parameters! If not successful: Failed to connect to the Attivo server! Error: {0}".format(exception.stacktrace) |
General |
Enrich Entities
Description
Enrich entities using information from Attivo. Supported entities: Hostname, IP Address.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Include ThreatPaths | Checkbox | Checked | No | If enabled, the action returns information about ThreatPaths related to the entity. |
| Include Vulnerabilities | Checkbox | Checked | No | If enabled, the action returns information about vulnerabilities related to the entity. |
| Include Credential Info | Checkbox | Checked | No | If enabled, the action returns information about credential information related to the entity. |
| Create Insight | Checkbox | Checked | No | If enabled, the action creates an insight containing all of the retrieved information about the entity. |
| Max ThreatPaths To Return | Integration | 50 | No | Specify the number of ThreatPaths to return per entity. |
| Max Vulnerabilities To Return | Integration | 50 | No | Specify the number of vulnerabilities to return per entity. |
| Max Credentials To Return | Integration | 50 | No | Specify the number of credentials to return per entity. |
Run on
This action runs on the Hostname and IP Address entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON result
{
"upgradeToVersion": null,
"quarantineStatus": 0,
"acmId": -1,
"tostatus": 0,
"systemtype": "VM",
"adsErrorMessage": "",
"accessprotection": false,
"functionalId": {
"templateName": null,
"usersid": null,
"errorCode": 0,
"debugInfo": "",
"userName": "exlab.local\\Administrator",
"status": null,
"timestamp": 1636558715000
},
"ondAssigned": false,
"usersInfo": [
{
"templateName": "Default_ThreatStrike_Profile:2",
"usersid": "S-1-5-21-2143737273-3756110848-2070699859-500",
"errorCode": 0,
"debugInfo": "Error:0 lsass UnInstallation\\nError:0 webftp UnInstallation\\nError:0 cookies UnInstallation\\nError:0 mstsc UnInstallation\\nError:0 SMB UnInstallation\\nError:0 Web Credential UnInstallation\\nError:0 outlook UnInstallation\\nError:0 iexplorer UnInstallation\\nError:0 Putty UnInstallation\\nError:0 Mozilla UnInstallation\\nError:0 Chrome UnInstallation\\nError:0 FileZilla UnInstallation\\nError:0 lsass UnInstallation\\nError:0 AWS UnInstallation\\nError:0 Telnet UnInstallation\\nError:0 OracleDBClient UnInstallation\\nError:0 IEFavorite UnInstallation\\nError:0 WindowsDNS UnInstallation\\nError:0 RasVPN UnInstallation",
"userName": "exlab.local\\Administrator",
"status": "INSTALLED",
"timestamp": 1636558727000
}
],
"id": 101,
"epVersion": "5.0.1.25",
"activeDirectory": {
"groups": [
"Domain Computers"
],
"organizationalUnit": "Computers"
},
"installMode": 2,
"processor_arch": " 64-bit",
"tdDeflectMessage": "",
"clientGroupId": "ThreatStrike-Default-Client",
"deployMode": 0,
"latestExecutableStatus": "INSTALLED",
"subscriberId": 1,
"botsinkDocumentId": 0,
"executableStatus": [
{
"timestamp": 1636558715000,
"status": "INSTALLED"
}
],
"processor_cpuSpeed": "2300 MHz",
"guid": "27f018b6-47c8-4b20-ab62-545c672ddf7cHOST02SMIME",
"ondMessage": "",
"debugCollect": false,
"ondInActive": false,
"adsstatus": 1,
"upgradeRequired": false,
"ondstatus": 0,
"hostName": "HOST02SMIME",
"memory": "8190 MB",
"lastModifiedTime": "2021-11-11T15:41:16.254Z",
"arstatus": 1,
"dnsName": "exlab.local",
"botsinkDeviceId": 0,
"endpoint_os_type": 1,
"disabledInClientGroup": false,
"tddstatus": 1,
"adsenabled": false,
"tdDeflectStatus": 0,
"osType": "Non-Server",
"featuresstatusforusers": [
{
"tddstatus": 1,
"tsstatus": 1,
"tostatus": 0,
"usersid": "S-1-5-21-2143737273-3756110848-2070699859-500",
"adsstatus": 1,
"logIn": 1636558717,
"ondstatus": 0,
"logOut": 0,
"tpstatus": 1,
"live": true,
"username": "exlab.local\\Administrator"
}
],
"interfaces": [
{
"subnet": "172.30.201.0/24",
"score": 1400.133919820602,
"macAddress": "00:50:56:a2:4c:e0",
"ipAddress": "172.30.201.198",
"name": "Intel(R) 82574L Gigabit Network Connection",
"type": "Wired",
"timestamp": 1636645218000
}
],
"migrateCL": false,
"debugStatus": false,
"osName": "Windows 10 64-bit",
"uptime": "134836",
"tsstatus": 1,
"processor_numOfCpu": 4,
"newClientGroup": null,
"tpstatus": 1,
"threatPaths": [
{
"destIp": "172.30.201.198",
"permissionId": -1,
"reason": null,
"srcHostName": "Unmanaged host",
"acmId": -1,
"source": null,
"type": "Paths",
"permScore": "Medium",
"cancellable": false,
"targetScore": "Medium",
"crRuleName": "System Default: Domain Admin Pilferage",
"credOuPath": "CN=Users,DC=exlab,DC=local",
"submissionId": -1,
"credAcctStatus": "Enabled",
"credential": "exlab.local\\administrator",
"srcId": "dummy-endpoint-1SUB1"
}
],
"vulnerabilities": [
"More than two Administrators were found on this computer",
"Presence of local administrative privileges for domain user account"
],
"credentials": [
{
"isDeceptive": true,
"service": "putty",
"domain": "EXLAB-W10H66.exlab.local\\accessDBuser",
"serverIp": "EXLAB-W10H66.exlab.local",
"isShortcut": false
},
{
"isDeceptive": true,
"service": "putty",
"domain": "EXLAB-W10H77.exlab.local\\accessDBadm",
"serverIp": "EXLAB-W10H77.exlab.local",
"isShortcut": false
}
]
}
Enrichment Table
| Enrichment field name | Logic - When to apply |
|---|---|
| os | When available in JSON |
| ip | When available in JSON |
| mac | When available in JSON |
| hostname | When available in JSON |
| users | When available in JSON |
| type | When available in JSON |
| uptime | When available in JSON |
| num_threatpaths | When available in JSON |
| num_vulnerabilities | When available in JSON |
| num_deceptive_creds | When available in JSON |
| num_real_creds | When available in JSON |
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: >If data is available for one entity (is_success=true): "Successfully enriched the following entities using information from Attivo: {entity.identifier}". If data is not available for one entity (is_success=true): "Action wasn't able to enrich the following entities using information from Attivo: {entity.identifier}". If data is not available for all entities (is_success=false): "None of the provided entities were enriched." The action should fail and stop a playbook execution: >If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Table Title: {entity.identifier} Table Columns:
|
Entity |
Case Wall Table (If vulnerabilities are available) |
Table Name: {entity identifier} Vulnerabilities Table Column:Name |
General |
Case Wall Table (If threatpaths are available) |
Table Name: {entity identifier} ThreatPaths Table Columns:
|
General |
| Case Wall Table (If credentials are available) | Table Name: {entity identifier} Credentials Table Columns:
|
General |
List Critical ThreatPath
Description
List available critical ThreatPaths in Attivo.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Filter Key | DDL | Select One Possible Values:
|
No | Specify the key that needs to be used to filter critical paths. |
| Filter Logic | DDL | Not Specified Possible Values:
|
No | Specify the filter logic that should be applied. Filtering logic works based on the value provided in the "Filter Key" parameter. |
| Filter Value | N/a | N/A | No | Specify the value that should be used in the filter. If "Equal" is selected, the action tries to find the exact match among results. If "Contains" is selected, the action tries to find results that contain the provided substring. If nothing is provided in this parameter, the filter is not applied. Filtering logic works based on the value provided in the "Filter Key" parameter. |
| Max Records To Return | Integrations | 50 | No | Specify the number of records to return. If nothing is provided, action will return 50 records. |
Runs on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"criticalPaths": [
{
"destIp": "172.30.201.198",
"permissionId": -1,
"reason": null,
"srcHostName": "Unmanaged host",
"acmId": -1,
"source": null,
"type": "Paths",
"permScore": "Medium",
"cancellable": false,
"targetScore": "Medium",
"crRuleName": "System Default: Domain Admin Pilferage",
"credOuPath": "CN=Users,DC=exlab,DC=local",
"submissionId": -1,
"credAcctStatus": "Enabled",
"credential": "exlab.local\\administrator",
"srcId": "dummy-endpoint-1SUB1",
"destHostName": "HOST02SMIME",
"cid2": "rdp1",
"id": "Unmanaged host172.16.30.5HOST02SMIME172.30.201.198RDP Memory Credentialexlab.local\\administratorPaths",
"srcIp": "172.16.30.5",
"firstSeen": 1636667535105,
"credDept": null,
"subscriberId": 1,
"remediable": false,
"credLastPswResetTime": 1620201383000,
"credLastLogonTime": 1636729127000,
"moretarget": false,
"destId": "27f018b6-47c8-4b20-ab62-545c672ddf7cHOST02SMIME:S-1-5-21-2143737273-3756110848-2070699859-500",
"shareName": null,
"desc": "rdp Active logon session for exlab.local\\administrator at Unmanaged OU/172.16.30.5 (unmanaged host). Potential movement to Computers/HOST02SMIME.",
"cid": "rdp0",
"permissionName": "",
"destOu": "Computers",
"critical": true,
"isgrouppath": false,
"credUpn": "Administrator@exlab.local",
"credCreatedTime": 1610374114000,
"memberList": null,
"memberOf": null,
"remediateStatus": null,
"severity": "High",
"srcOu": "Unmanaged",
"target": "HOST02SMIME(172.30.201.198)",
"loggedOn": false,
"credSamAcctName": "Administrator",
"service": "RDP Memory Credential",
"credDisplayName": null,
"ukey": null,
"category": "Saved credential"
}
]
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available (is_success=true): "Successfully found critical ThreatPaths for the provided criteria in Attivo". If data is not available (is_success=false): "No ThreatPaths were found for the provided criteria in Attivo" If the "Filter Value" parameter is empty (is_success=true): The filter was not applied, because parameter "Filter Value" has an empty value. The action should fail and stop a playbook execution: If the "Filter Key" parameter is set to "Select One" and the "Filter Logic" parameter is set to "Equal" or "Contains": "Error executing action "{action name}". Reason: you need to select a field from the "Filter Key" parameter." If an invalid value is provided for the "Max Records to Return" parameter: "Error executing action "{action name}". Reason: "Invalid value was provided for "Max Records to Return": . Positive number should be provided"." If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "{action name}". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Table Name: {entity identifier} ThreatPaths Table Columns:
|
Entity |
List Vulnerability Hosts
Description
List hosts related to the vulnerability in Attivo.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Vulnerabilities | CSV | N/A | Yes | Specify a comma-separated list of vulnerabilities for which action needs to return hostnames. |
| Max Hosts To Return | Integer | 50 | No | Specify the number of hosts to return. If nothing is provided, action will return 50 hosts. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON result
[
{
"vulnerability": "Presence of local administrative privileges for domain user account",
"hostNames": [
"HOST02SMIME"
]
}
]
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available for one vulnerability (is_success=true): "Successfully retrieved hosts for the following vulnerabilities: {vulnerabilities}". If no hosts are related for one vulnerability (is_success=true): "No hosts were found for the following vulnerabilities: {vulnerabilities}" If no hosts are related for all vulnerabilities (is_success=false): "No hosts were found for the provided vulnerabilities." If the response is "{}" for one vulnerability (is_success=true): "Action wasn't able to retrieve information about hosts for the following vulnerabilities: {vulnerabilities}" If the response is "{}" for one vulnerabilities (is_success=false): "Action wasn't able to retrieve information about hosts for the provided vulnerabilities." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "{action name}". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Table Name: {Vulnerability Name i} Table Columns: Name |
Entity |
List Service ThreatPaths
Description
List ThreatPaths related to services in Attivo.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Services | CSV | N/A | Yes | Specify a comma-separated list of services for which action needs to return ThreatPaths |
| Max ThreatPaths To Return | Integer | 50 | No | Specify the number of ThreatPaths to return. If nothing is provided, the action returns 50 ThreatPaths. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON result
[
{
"service": "Web",
"paths": [
"HOST02SMIME"
]
}
]
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available (is_success=true): "Successfully retrieved ThreatPaths for the following services in Attivo: {services}. If no data is available for one service: "No ThreatPaths were found for the following services in Attivo: {services}. If no data available for all services: "No ThreatPaths were found for the provided services in Attivo. The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "{action name}". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Table Name: {entity identifier} ThreatPaths Table Columns:
|
Entity |
Update Event
Description
Update event in Attivo.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Event ID | String | N/A | Yes | Specify the ID of the event, which needs to be updated. |
| Status | DDL | Select One Possible Values:
|
No | Specify the status for the event. |
| Comment | String | N/A | No | Specify a comment that needs to be added to the event. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
Case Wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If the 200 status code is reported (is_success=true): "Successfully updated the event with ID "{event_id}" in Attivo.". The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Event". Reason: {0}''.format(error.Stacktrace) If "Select One" is selected and the "Comment" is not provided: "Error executing action "Update Event". Reason: at least one of the parameters "Status" or "Comment" should have a value.'' |
General |
Connector
Attivo - Events Connector
Description
Pull events from Attivo into Google Security Operations SOAR.
Configure Attivo - Events Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | attackName | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | https:/{{ip address}}} | Yes | API root of the Attivo instance. |
| Username | String | N/A | Yes | Attivo API Username. |
| Password | Password | N/A | Attivo API Password. | |
| Status Filter | String | All | Yes | Status filter for the connector. Possible values: unacknowledged, acknowledged, all. |
| Lowest Severity To Fetch | String | Medium | No | Severity that will be used to fetch events. If nothing is specified, action will ingest all events. Possible values: System Activity, Very Low, Low, Medium, High, Very High. |
| Max Hours Backwards | Integer | 1 | No | Amount of hours from where to fetch events. |
| Max Events To Fetch | Integer | 100 | No | How many events to process per one connector iteration. Maximum is 1000. |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, whitelist will be used as a blacklist. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verifies that the SSL certificate for the connection to the Attivo server is valid. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
Connector Rules
Proxy Support
The connector supports Proxy.